Does WinSpirit sell my personal information?
No. We do not sell personal information. We share it with vetted service providers strictly to operate the Service and meet our legal obligations.
Privacy Policy
Privacy Policy
Last updated: 1 May 2026
This Privacy Policy explains how WinSpirit Casino, operated by Hollycorn N.V. ("WinSpirit", "we", "us", or "our"), collects, uses, discloses, and safeguards the personal information of players in Canada. We comply with the federal PIPEDA and applicable provincial privacy laws, including Quebec's Act respecting the protection of personal information in the private sector (Law 25), and the British Columbia and Alberta Personal Information Protection Acts.
1. Introduction & Scope
This Policy applies to personal information that WinSpirit collects from Canadian residents through our website, mobile interfaces, customer-support channels, and any associated services (collectively, the "Service"). It does not apply to third-party websites or applications that you may reach via links from our Service; their privacy practices are governed by their own policies.
By creating an account or otherwise using the Service, you confirm that you are of legal gambling age in your province (19 in most provinces; 18 in Alberta, Manitoba, and Quebec) and that you have read and understood how we handle your personal information.
2. Data Controller Information
The data controller responsible for your personal information is:
- Legal entity: Hollycorn N.V.
- Registered address: Heelsumstraat 51, E-Commerce Park, Willemstad, Curaçao
- Licensing authority: Antillephone N.V., authorised by the Government of Curaçao, licence 8048/JAZ2020-013
- Privacy / Data Protection Officer: [email protected]
For Quebec residents, Hollycorn N.V. designates a Person in Charge of the Protection of Personal Information ("Privacy Officer") under Law 25, contactable at the same address.
3. Personal Information We Collect
The categories of personal information we collect depend on how you use the Service.
3.1 Identification information
Full name, date of birth, gender, nationality, and a copy of a government-issued photo ID (passport, driver's licence, or provincial photo ID) when required by our KYC obligations.
3.2 Contact information
Residential address, country and province of residence, email address, and mobile phone number.
3.3 Financial & transactional information
Payment method details (e.g., the last four digits of a card, the masked Interac e-Transfer reference), deposit and withdrawal history, in-game transaction history, and source-of-funds documentation where applicable.
3.4 Gameplay & behavioural information
Your wagering activity, bet sizes, session duration, game preferences, bonus history, and responsible-gaming choices (limits set, self-exclusion status).
3.5 Technical information
IP address (used for geolocation and fraud prevention), device identifiers, browser type and version, operating system, time-zone settings, and pages viewed on the Service.
3.6 Marketing preferences
Your consent or refusal regarding promotional emails, SMS, and push notifications, and your interactions with marketing campaigns.
4. How We Collect Information
We collect personal information in three ways:
- Directly from you — when you register, deposit funds, complete KYC, contact support, or update your account.
- Automatically — through cookies, log files, and similar technologies as you use the Service. See our Cookies Policy for details.
- From third parties — including identity-verification vendors, payment processors, anti-fraud services, sanctions/PEP screening providers, and game suppliers, where permitted by law and necessary to operate the Service.
5. Legal Basis for Processing
Under PIPEDA, the lawful processing of personal information is generally based on knowledge and consent. We rely on the following grounds:
| Activity | Legal basis |
|---|---|
| Account creation, depositing, wagering | Performance of our contract with you (Terms & Conditions) |
| KYC, AML, sanctions and PEP screening | Compliance with legal obligations under our licence and the PCMLTFA |
| Fraud prevention, chargeback investigations, security | Legitimate interest balanced against your privacy rights |
| Marketing communications | Express consent under PIPEDA and the CASL |
| Responsible-gaming interventions | Legitimate interest in player protection and licence conditions |
| Analytics and service improvement | Consent (where required) and legitimate interest (for aggregated data) |
6. How We Use Personal Information
We use personal information to:
- Verify your identity, age, and residence and to comply with our anti-money-laundering obligations;
- Operate your account, process deposits and withdrawals, and credit winnings or bonuses;
- Detect, prevent, and investigate fraud, collusion, multi-accounting, and bonus abuse;
- Provide customer support, respond to enquiries, and resolve complaints;
- Operate responsible-gaming tools and conduct duty-of-care interventions;
- Send transactional notifications (e.g., withdrawal confirmations) and, where you have consented, marketing communications;
- Improve the Service through analytics, A/B testing, and product research;
- Meet our legal, regulatory, accounting, and reporting obligations.
7. Data Sharing & Third Parties
We do not sell your personal information. We share it only with the categories of recipients listed below, and only to the extent strictly necessary.
| Recipient category | Purpose |
|---|---|
| Payment processors and acquirers | To process deposits and withdrawals |
| Identity-verification & KYC vendors | To confirm your identity, age, and address |
| Anti-fraud and risk-scoring vendors | To detect suspicious activity and protect the Service |
| Game-content suppliers and platform providers | To provide the games you play (e.g., session and wagering data) |
| Cloud hosting and infrastructure providers | To host the Service and store data securely |
| Customer-support & CRM platforms | To handle tickets, live chat, and email correspondence |
| Analytics & marketing platforms (with consent) | To measure service usage and deliver personalised offers |
| Regulators, auditors, and law-enforcement bodies | When we are legally required to disclose |
| Professional advisers (legal, accounting) | To obtain advice and meet statutory obligations |
All third-party processors are bound by written contracts requiring them to protect your data, use it only on our instructions, and apply security measures equivalent to ours.
8. International Data Transfers
WinSpirit operates internationally. Your personal information may be processed and stored in the European Union (Frankfurt, Germany; Amsterdam, the Netherlands) and Canada (Toronto, Ontario), with disaster-recovery in Dublin, Ireland and other jurisdictions where our service providers are located. Some of these jurisdictions may not offer the same level of legal protection as Canada.
Where we transfer personal information outside of Canada, we apply contractual safeguards, including data-processing agreements with standard protective clauses, to ensure a comparable level of protection. In line with PIPEDA's accountability principle, we remain responsible for personal information transferred to a third party for processing on our behalf.
9. Data Retention Periods
We retain personal information only for as long as necessary to fulfil the purposes set out in this Policy, unless a longer retention period is required by law.
| Data category | Retention period | Reason |
|---|---|---|
| KYC documents and AML records | 5 years after the end of the business relationship | PCMLTFA / FINTRAC obligations |
| Transactional and gameplay records | 5 years | AML and licensing requirements |
| Account profile data | For the life of the account + 5 years | Disputes, audits, and legal claims |
| Self-exclusion records | For the duration of the exclusion + 5 years | Player-protection and re-registration prevention |
| Customer-support correspondence | 3 years after closure of the ticket | Quality assurance and dispute resolution |
| Marketing-consent records | 3 years after withdrawal of consent | CASL evidence-of-consent requirement |
| Cookies & analytics data | As described in our Cookies Policy (typically up to 24 months) | Service operation and analytics |
Once retention periods expire, we either irreversibly delete or anonymise the data. Detailed retention rules are documented internally — see the retention schedule maintained by our Privacy Office (available on request).
10. Data Security Measures
WinSpirit applies organisational and technical safeguards designed to protect personal information against unauthorised access, alteration, disclosure, or destruction. These include:
- Encryption in transit (TLS 1.2 or higher) and at rest for sensitive data;
- Network segmentation, firewalls, intrusion-detection, and 24/7 security monitoring;
- Strong authentication for staff, role-based access control, and the principle of least privilege;
- Regular vulnerability scanning and independent penetration testing;
- PCI DSS compliance for payment-card processing through our acquirers;
- Information-security policies aligned with ISO 27001 best practice;
- Confidentiality obligations and ongoing privacy training for all employees and contractors.
11. Cookies & Similar Technologies
We use cookies, pixels, local-storage entries, and similar technologies to operate the Service, remember your preferences, prevent fraud, and — with your consent — measure performance and personalise marketing. You can review and change your choices at any time via our cookie banner. Full details are set out in our Cookies Policy.
12. Your Rights under PIPEDA
PIPEDA gives you a number of rights over your personal information, organised around the ten Fair Information Principles:
- Accountability — we are responsible for personal information under our control and have appointed a Privacy Officer.
- Identifying purposes — we tell you why we are collecting your information at or before the time of collection.
- Consent — we collect, use, and disclose personal information with your knowledge and consent (with limited exceptions allowed by law).
- Limiting collection — we collect only what we reasonably need.
- Limiting use, disclosure, and retention — we use and keep data only for the purposes for which it was collected.
- Accuracy — we keep your information as accurate, complete, and up to date as is necessary for the purposes for which it is used.
- Safeguards — we apply security safeguards appropriate to the sensitivity of the information.
- Openness — our practices are publicly available in this Policy.
- Individual access — you can request access to your personal information and ask us to correct it where it is inaccurate.
- Challenging compliance — you can challenge our compliance with the Privacy Officer and with the Office of the Privacy Commissioner of Canada (OPC).
12.1 Quebec residents (Law 25)
If you live in Quebec, you have additional rights under Law 25, including the right to data portability (to receive your computerised personal information in a structured, commonly used format), to be informed about and to object to automated decision-making based solely on automated processing, and to request that a profiling or geolocation function be disabled where applicable. To exercise these rights, contact our Privacy Officer.
12.2 British Columbia and Alberta residents
If you live in British Columbia or Alberta, the provincial Personal Information Protection Acts apply. Your rights are broadly equivalent to those under PIPEDA. Complaints can be addressed to the Office of the Information and Privacy Commissioner for British Columbia or for Alberta.
13. How to Exercise Your Rights
To exercise any of the above rights, send a request to [email protected] from the email address registered to your account. We may need to verify your identity before responding.
We aim to respond to access and correction requests within 30 days, in line with PIPEDA. If we cannot meet that timeframe, we will tell you why and when we expect to respond. There is no fee for routine requests; we may charge a reasonable cost-recovery fee for unusually large or repeated requests, and we will let you know in advance.
14. Children's Privacy
The Service is not intended for, marketed to, or used by anyone under the legal gambling age in their province. We do not knowingly collect personal information from minors. If you believe a minor has provided personal information to us, contact [email protected] immediately and we will delete the information and close the account.
15. Changes to This Policy
We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make a material change, we will post a notice on the Service and update the "Last updated" date at the top of the page. We encourage you to review this Policy periodically. Your continued use of the Service after changes are posted constitutes your acceptance of the revised Policy.
16. Contact & Complaints
If you have any questions about this Policy or about how we handle your personal information, please contact our Privacy Officer first:
- Email: [email protected]
- Post: Hollycorn N.V., Heelsumstraat 51, E-Commerce Park, Willemstad, Curaçao
If you are not satisfied with our response, you may file a complaint with the appropriate Canadian regulator:
- Office of the Privacy Commissioner of Canada (OPC) — priv.gc.ca — federal complaints under PIPEDA.
- Commission d'accès à l'information (CAI) — cai.gouv.qc.ca — for Quebec residents.
- Office of the Information and Privacy Commissioner for British Columbia — oipc.bc.ca.
- Office of the Information and Privacy Commissioner of Alberta — oipc.ab.ca.
Frequently Asked Questions
How do I request a copy of the data you hold about me?
Email [email protected] from your registered email address. We aim to respond within 30 days under PIPEDA.
Can I ask you to delete my data?
You can ask us to delete personal information that we are not legally required to retain. We must keep certain records (for example, KYC and transaction history) for up to five years under the PCMLTFA, even after account closure.
How long do you keep my information after I close my account?
Most account-related data is retained for at least five years after closure to meet anti-money-laundering and licensing obligations. After that, it is deleted or anonymised in line with our retention schedule.
Where is my data stored?
Your data is hosted in the European Union (Frankfurt, Germany; Amsterdam, the Netherlands) and Canada (Toronto, Ontario), with disaster-recovery in Dublin, Ireland using reputable cloud providers. Some processing may occur in other jurisdictions through our service providers; in all cases we apply contractual safeguards.
How do I unsubscribe from marketing emails?
Click "unsubscribe" in any marketing email, change your preferences in your account, or email [email protected]. Transactional emails (for example, withdrawal confirmations) will continue regardless.